From patchwork Tue Apr 1 18:15:30 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4202 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6c6:b0:60a:d70a:d3c7 with SMTP id j6csp3032325maw; Tue, 1 Apr 2025 11:16:03 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCU4rIxS9SZ0WxhHZ0qRXJRZn8w0MlQWP4LdGjsorQycGEVFXIBUZEfLR4q1DBaXFfP67dJiG3rrxK8=@openvpn.net X-Google-Smtp-Source: AGHT+IFaGvd2dxtFK3wPb2ZHHb5wt+CaDAMyn9KwlLLrRhDuhK432usMdlJOZcvSwL3DUcSa99kA X-Received: by 2002:a05:6808:1207:b0:3f9:36ec:dab3 with SMTP id 5614622812f47-3ff0f502481mr6200978b6e.14.1743531363659; Tue, 01 Apr 2025 11:16:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1743531363; cv=none; d=google.com; s=arc-20240605; b=AT85c0VwyTG2LwbroTVoeJ0yMgNouNXdBIhTv/PyuP5RFe4Cgd6DUc/0FMY/URCvAj y2GczNTXOlvokwV0YOQT6Kw08lKLHc9O1/jWiBpQErkF32JGMpwfOf/3hbGzUnOCLBgK LTZOia0y9RYjgclq9De798Ee00GBY7HmKEjwzcMt/C80NW8bfaZVWChx0J+SO9F+xloo WIJftk4M2cJqTpKGFr5C5GRya2CtUSLCowVUzr7WOMAGOTTvXbUDkuvlh5OY0WRt5RmD 4gAUTsGVkxqpa0MBdZ2PfFXcDi50yICn9XW8ynNZ5ihdcpNMmf0E+dxhwMLRVrZgabKe Yl3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=BXP/a/hzvikrFf9tkOCAMaFjY9pu1GkDWcijLtL3YtE=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=dMyaT2Jb04334kmlcoJecxTaaaCk2bkkz0gb+HzCme/gLgzHKVpi9o8Mc3OsSLzB5g fCLMmw3Lrw3HPiFfOYS2ypH2vueaZwDczgQQyV+PQ9N2UPdKArAj9f3//NuI1+6WkS58 1NfSa+G4tbs0/W9r2jFxG7yxG66f4A+pIjdAbqpLqnqzXDryVx6f38o23pNqTpUbYAAb 154NuSCMKFl6dFtusoxwdLkV41trZkxg+MBHIMepSk+AvTa+YMxrBhaUyo73uKz3MEmo VozuXiB409JXrBn9E6q/woI7Zo9DdxU3ttxq/Bnv59Rfu/wUU3mzgeziQkmbmtNXK6+F jrfA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=lTXwwK9y; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=WDhrcihE; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-3ff05185215si7795222b6e.98.2025.04.01.11.16.03 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 01 Apr 2025 11:16:03 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=lTXwwK9y; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=WDhrcihE; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tzg9X-0000sW-El; Tue, 01 Apr 2025 18:16:00 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tzg9W-0000sJ-Eo for openvpn-devel@lists.sourceforge.net; Tue, 01 Apr 2025 18:15:59 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=FIuCtghubDD/bOV0D2ua5NqbPE6cCfsnuDjn0codIFU=; b=lTXwwK9yh6Cd9icYwk28rWuMKH 5Jkogv6JHE6MTSMZ0LzLIu7OFWEn7NmiEnj1ZgtOpGhwGAkghcxBetm4Dh2ItP7KxEU69iLvlVPuh dprhnXpssWsjV1IuuovN4paKczXZDGHCL5mCYVFw8lUV8Odzcnw+DZ9tQUGfhKzmKRBI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=FIuCtghubDD/bOV0D2ua5NqbPE6cCfsnuDjn0codIFU=; b=WDhrcihE2T9PXG05sHCCYoaPn7 YCqWPviRrQMYvl+nsBXML0a53Mh2C4apzjUn13l3rlOun8Px+b/mnQMXmBuVZ5PKkjOHSUhJeLSMh 92Kw2i6NBT+7bAtqU+/jmYkvbGIQIbR8NRdZqV/wjjF81Xfq5dYELq3rFHJcdPIzFIuo=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1tzg9H-0002am-4c for openvpn-devel@lists.sourceforge.net; Tue, 01 Apr 2025 18:15:59 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 531IFaSc007958 for ; Tue, 1 Apr 2025 20:15:36 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 531IFaPx007957 for openvpn-devel@lists.sourceforge.net; Tue, 1 Apr 2025 20:15:36 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Tue, 1 Apr 2025 20:15:30 +0200 Message-ID: <20250401181535.7854-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lev Stipakov The OVERLAPPED structure must remain valid for the entire duration of an asynchronous operation. Previously, when a TCP connection was pending inside the NEW_PEER call, the OVERLAPPED structure was de [...] Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in bl.score.senderscore.com] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1tzg9H-0002am-4c Subject: [Openvpn-devel] [PATCH v1] dco-win: Fix crash when cancelling pending operation X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1828225143005195587?= X-GMAIL-MSGID: =?utf-8?q?1828225143005195587?= From: Lev Stipakov The OVERLAPPED structure must remain valid for the entire duration of an asynchronous operation. Previously, when a TCP connection was pending inside the NEW_PEER call, the OVERLAPPED structure was defined as a local variable within dco_p2p_new_peer(). When CancelIo() was called later from close_tun_handle(), the OVERLAPPED structure was already out of scope, resulting in undefined behavior and stack corruption. This fix moves the OVERLAPPED structure to the tuntap struct, ensuring it remains valid throughout the operation's lifetime. GitHub: #715 Change-Id: Ib1db457c42a80f6b8fc0e3ceb4a895d4cf7f0155 Signed-off-by: Lev Stipakov Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/928 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/dco_win.c b/src/openvpn/dco_win.c index 8b47124..a386e53 100644 --- a/src/openvpn/dco_win.c +++ b/src/openvpn/dco_win.c @@ -321,7 +321,7 @@ } void -dco_p2p_new_peer(HANDLE handle, struct link_socket *sock, struct signal_info *sig_info) +dco_p2p_new_peer(HANDLE handle, OVERLAPPED *ov, struct link_socket *sock, struct signal_info *sig_info) { msg(D_DCO_DEBUG, "%s", __func__); @@ -395,8 +395,8 @@ ASSERT(0); } - OVERLAPPED ov = { 0 }; - if (!DeviceIoControl(handle, OVPN_IOCTL_NEW_PEER, &peer, sizeof(peer), NULL, 0, NULL, &ov)) + CLEAR(*ov); + if (!DeviceIoControl(handle, OVPN_IOCTL_NEW_PEER, &peer, sizeof(peer), NULL, 0, NULL, ov)) { DWORD err = GetLastError(); if (err != ERROR_IO_PENDING) @@ -405,7 +405,7 @@ } else { - dco_connect_wait(handle, &ov, get_server_poll_remaining_time(sock->server_poll_timeout), sig_info); + dco_connect_wait(handle, ov, get_server_poll_remaining_time(sock->server_poll_timeout), sig_info); } } } diff --git a/src/openvpn/dco_win.h b/src/openvpn/dco_win.h index 95c95c8..e8e4e22 100644 --- a/src/openvpn/dco_win.h +++ b/src/openvpn/dco_win.h @@ -63,7 +63,7 @@ dco_mp_start_vpn(HANDLE handle, struct link_socket *sock); void -dco_p2p_new_peer(HANDLE handle, struct link_socket *sock, struct signal_info *sig_info); +dco_p2p_new_peer(HANDLE handle, OVERLAPPED *ov, struct link_socket *sock, struct signal_info *sig_info); void dco_start_tun(struct tuntap *tt); diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 09de1b0..beb31fa 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -2242,7 +2242,7 @@ } else { - dco_p2p_new_peer(c->c1.tuntap->hand, sock, sig_info); + dco_p2p_new_peer(c->c1.tuntap->hand, &c->c1.tuntap->dco_new_peer_ov, sock, sig_info); } sock->sockflags |= SF_DCO_WIN; diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h index b616f5d..bcc23b4 100644 --- a/src/openvpn/tun.h +++ b/src/openvpn/tun.h @@ -215,6 +215,7 @@ #ifdef _WIN32 HANDLE hand; + OVERLAPPED dco_new_peer_ov; /* used for async NEW_PEER dco call, which might wait for TCP connect */ struct overlapped_io reads; struct overlapped_io writes; struct rw_handle rw_handle;